Author Topic: trojan horse collected.6.BC (Read 901 times)

snowborec · « **on:** May 23, 2005, 03:08:50 PM »

I've problem with trojan horse collected.6.BC.
Could anyone please help me I would be very greatefull. Thank you so much. Tess

Logfile of HijackThis v1.99.1
Scan saved at 21:26:41, on 23.5.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\intmonp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\intmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\FRITZ!\IWatch.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\wincmd\WINCMD32.EXE
c:\Documents and Settings\Tom\Dokumenty\AAAVIRUSHELP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp2438.tmp
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Nortons AV SYSTEM] scvchost.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\RunServices: [Nortons AV SYSTEM] scvchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nortons AV SYSTEM] scvchost.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: FRITZ!fax.lnk = C:\Program Files\FRITZ!\FriFax32.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Program Files\FRITZ!\IWatch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Crear un favorito móvil - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108336288187
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C36EFD3-B343-495A-9478-E39BDCC0C4BA}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F2A713-356D-4F26-998E-BD64086CDB34}: NameServer = 195.146.100.5 195.146.99.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C36EFD3-B343-495A-9478-E39BDCC0C4BA}: NameServer = 192.168.120.252,192.168.120.253
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAM FILES\FRITZ!\de_serv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

guestolo · « **Reply #1 on:** May 23, 2005, 04:21:43 PM »

Download and save too Desktop SDBOT removal tool from F-Prot
Disconnect from the Internet
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe

Give the link time to load, or try it twice
Run the tool
Allow it to finish running
Restart your computer afterwards

Come back here

Download Silent Runners.vbs
http://www.cs.nyu.edu/~vs667/articles/hoto...lentRunners.zip

UNZIP the contents too desktop
Double click to Run Silent Runners
WAIT for the scan to finish, It will notify you when it's complete

Post back the log that's produced

Could you also post back a fresh Hijackthis log

And also
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK

regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\Run"

Find this text file
C:\find.txt
If it exists, open find.txt and copy and paste back the contents

Winman1 · « **Reply #2 on:** May 23, 2005, 04:49:26 PM »

Hijack this works great. Also try the Microsoft software Anti-Spyware removal and their Malicious software removal tool. Both are free and can be downlaoded from Microsoft's download site. I had to try all 3 of these last time to remobe some bad virus and worms. Trythem and good luck.

TheTechGuide Forum

News:

Author Topic: trojan horse collected.6.BC (Read 901 times)

snowborec

trojan horse collected.6.BC

guestolo

trojan horse collected.6.BC

Winman1

trojan horse collected.6.BC